Forum Replies Created
-
Posts
-
You should be able to adjust the keyboard layout in System Settings, Peripherals, Keyboard. There you can adjust the character set and keyboard layout/region.
I”m not familiar enough with your corporate infrastructure to give a very informed comment. With that said, anyone from outside our organization (home teleworker or small office leveraging landlord internet and no infrastructure) is setup to use 2 factor authentication. From a security perspective I couldn’t imagine doing anything different.
Here’s an example of how logging on to citrix.cloud.com/go/organizationname goes for me when using the “Sign in with company credentials” on the browser.
<span style=”text-decoration: underline;”>Internal – On Corporate Network</span>
- Browse to citrix.cloud.com/go/organizationname
- Federated Services detects i’m coming from an approved network
- Pass-through authentication via email address only
- citrix.cloud.com console loads
<span style=”text-decoration: underline;”>External – Off Network</span>
- Browse to citrix.cloud.com/go/organizationname
- Microsoft Authentication prompt for organizational email address
- Federated Services prompt for autofilled email address and AD password
- Microsoft Authenticator app prompt to Allow or Deny network connection attempt
- citrix.cloud.com console loads
I’m not a Citrix engineer so I’m not much help on how you could configure this to not allow two factor authentication, but that would seem very insecure to me.
In WMS check the “Device Settings (8.6+)” section.
- Disable manual override: WMS defined configurations used for all devices
- Enable all manual overrides: Client defined configurations (manual override) used for all devices
- Enable selective manual overrides: Selective client defined configurations (selective manual overrides) used per selected devices
I would suggest enabling all manual overrides and see if that helps. When I was testing DHCP option tagging moving to 8.6 and i hadn’t configured the Device Settings (8.6+) it didn’t seem to play nicely if you have other settings for audio or visual in an advanced line config. I don’t recall what the “default” undefined setting is if you’ve never configured it before.
I would open a case with Dell, get your USB key out and setup persistent logging on one of the devices this is occurring on. After its replicated and logs are captured for event log and network, on the next reboot hit Ctrl+Esc to escape out of the network check and get the do Troubleshooting section of System Settings to end your capture. I would get your capture on 8.6_027 since they seem to have enhanced their log captures in that version.
One thing I always do in my testing before pushing to production is a copy/paste/compare of the WMS.INI output of the current firmware and new firmware to see what parameters may have been added/modified/removed by the WTOS upgrade process. Notepad++ has a compare feature and I’ve spotted some oddities from time to time.
I don’t think the Citrix Cloud or on-prem should make a difference. Unless I’m misunderstanding you should be able to do this now by plugging in your Citrix Broker URL. The only thing that may prevent you from connecting is your MFA method. If its RSA two-factor that should be fine, but if its Azure MFA using SAML based authentication that’s not supported and may not be supported on the initial release of ThinOS 9. I have a case open with Dell to get SAML based authentication working with Azure MFA.
We do have Microsoft MFA working with our on-prem authenticator hardware using RADIUS. Currently SAML authentication isn’t supported in ThinOS
I have a local thin client screensaver on my 3040 devices after 20 minutes so my INI parameter looks like this… LockTerminal=0 is disabling the local terminal lock and Ctrl+Alt+Del locks the remote desktop in either RDP or Citrix.
ScreenSaver=20 LockTerminal=0
Engineering has been able to recreate the issue, and have found that the code has time query to determine if it’s time to renew the certificate and that code parameter is not working as expected.( Per WTOS engineer)
In WMS, under “Display” you can configure the dual monitors (dualhead) and leave a standard configuration using Resolution of DDC and rotation of “none”
Then under Device Settings (8.6+) you can enable selective manual overrides and tick the box for “Monitors” so the user can override the settings and they stick.
Or under Advanced Device Configuration you can do an advanced line config of Dualhead=yes ManualOverride=yes
You can use something like Dualhead=yes ManualOverride=yes so whatever the user chooses it will stay that way after reboot once they configure it themselves.
From the 8.6_027 Admin Guide page 86 shows the chart that the 5070 supports resolution of 1280 x 720 at 30 frames with RTME 2.7, and the 7010 supports resolution of 424 x 240 at 15 frames; both using Logitech C930e cameras, so that would be a noticeable difference.
I got a response 10/14 that this has been submitted for an official bug fix. I’ll update if i get a beta preview.
This is now with Dell Engineering. No bug ticket submitted yet but they’re looking at it.
If you’re using WMS Cloud or the GUI interface, under the Citrix Broker section there is a Timeout section
“Timeout – Specifies a time in seconds the device will try to establish a connection before reporting the broker is unreachable.”
From that drop down there are various times you can select from 5-300 with the max looking like its 300, so 600 would end up being an invalid parameter which you should be able to verify in the Event Log on your devices.
Thanks ConfGen
I tested removing the “dummy=command” and adding the „ \“ (Space+backslash) and no longer receive invalid parameter as I used to when we had „ \“ (Space+backslash) in our configuration 2 years ago, so you are correct in the fact that we do not need that command any longer.
ScepAutoEnroll=Yes AutoReNew=Yes InstallCACert=Yes ScepAdminUrl=”xxxxxxxxxx.xxxx.xxxxxxxxxx.net/certsrv/mscep_admin” ScepUser=xxxxxxx ScepUserDomain=xxxxxxx ScepUserPwd=************ \
CommonName=$SN KeyUsage=digitalSignature;keyEncipherment KeyLength=2048 RequestURL=”xxxxxxxxxx.xxxx.xxxxxxxxxx.net/certsrv/mscep/mscep.dll” CACertHash=’xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx’ EnrollPwd=********************************IEEE8021X=yes network=wired eap=yes eaptype=EAP-TLS tlsclntcert=$SN.pfx tlsauthtype=machine
Unfortunately, the certificate still will not update. The $SN.pfx certificate shows valid from 2018-02-15 to 2020-02-15 and we are beyond the half-life at 2019-10-10 today.
I really appreciate your help and suggestions. Does the CA server need to be set to something specific for this to overwrite the existing certificate or is it up to the Thin Client to see the expiration date and know this needs to be overwritten? You’ll have to forgive my lack of knowledge around the CA Certs, its managed by our security group and its not my forte.
EDIT: I’m also testing this on a 3040 ThinOS running 8.6_019 and 8.6_027, with High privilege level locally so it shouldn’t be a privilege level issue.
